From 16ac0d6e148b1e07e579d47de1da7ac541447bd2 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 25 Feb 2010 17:30:47 +0100 Subject: Add simple access provider --- src/providers/simple/simple_access.c | 160 +++++++++++++++++++++++++++++++++++ src/providers/simple/simple_access.h | 36 ++++++++ 2 files changed, 196 insertions(+) create mode 100644 src/providers/simple/simple_access.c create mode 100644 src/providers/simple/simple_access.h (limited to 'src/providers/simple') diff --git a/src/providers/simple/simple_access.c b/src/providers/simple/simple_access.c new file mode 100644 index 000000000..4d6135fa4 --- /dev/null +++ b/src/providers/simple/simple_access.c @@ -0,0 +1,160 @@ +/* + SSSD + + Simple access control + + Copyright (C) Sumit Bose 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include + +#include "util/util.h" +#include "providers/dp_backend.h" +#include "db/sysdb.h" +#include "providers/simple/simple_access.h" + +#define CONFDB_SIMPLE_ALLOW_USERS "simple_allow_users" +#define CONFDB_SIMPLE_DENY_USERS "simple_deny_users" + +errno_t simple_access_check(struct simple_ctx *ctx, const char *username, + bool *access_granted) +{ + int i; + + *access_granted = false; + if (ctx->allow_users != NULL) { + for(i = 0; ctx->allow_users[i] != NULL; i++) { + if (strcmp(username, ctx->allow_users[i]) == 0) { + DEBUG(9, ("User [%s] found in allow list, access granted.\n", + username)); + *access_granted = true; + return EOK; + } + } + } else { + *access_granted = true; + if (ctx->deny_users != NULL) { + for(i = 0; ctx->deny_users[i] != NULL; i++) { + if (strcmp(username, ctx->deny_users[i]) == 0) { + DEBUG(9, ("User [%s] found in deny list, access denied.\n", + username)); + *access_granted = false; + return EOK; + } + } + } + } + + return EOK; +} + +void simple_access_handler(struct be_req *be_req) +{ + int ret; + bool access_granted = false; + struct pam_data *pd; + struct simple_ctx *ctx; + + pd = talloc_get_type(be_req->req_data, struct pam_data); + + pd->pam_status = PAM_SYSTEM_ERR; + + if (pd->cmd != SSS_PAM_ACCT_MGMT) { + DEBUG(4, ("simple access does not handles pam task %d.\n", pd->cmd)); + pd->pam_status = PAM_MODULE_UNKNOWN; + goto done; + } + + ctx = talloc_get_type(be_req->be_ctx->bet_info[BET_ACCESS].pvt_bet_data, + struct simple_ctx); + + ret = simple_access_check(ctx, pd->user, &access_granted); + if (ret != EOK) { + pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } + + if (access_granted) { + pd->pam_status = PAM_SUCCESS; + } else { + pd->pam_status = PAM_PERM_DENIED; + } + +done: + be_req->fn(be_req, DP_ERR_OK, pd->pam_status, NULL); +} + +struct bet_ops simple_access_ops = { + .handler = simple_access_handler, + .finalize = NULL +}; + +int sssm_simple_access_init(struct be_ctx *bectx, struct bet_ops **ops, + void **pvt_data) +{ + int ret = EINVAL; + struct simple_ctx *ctx; + + ctx = talloc_zero(bectx, struct simple_ctx); + if (ctx == NULL) { + DEBUG(1, ("talloc_zero failed.\n")); + return ENOMEM; + } + + ret = confdb_get_string_as_list(bectx->cdb, ctx, bectx->conf_path, + CONFDB_SIMPLE_ALLOW_USERS, + &ctx->allow_users); + if (ret != EOK) { + if (ret == ENOENT) { + DEBUG(9, ("Allow user list is empty.\n")); + ctx->allow_users = NULL; + } else { + DEBUG(1, ("confdb_get_string_as_list failed.\n")); + goto failed; + } + } + + ret = confdb_get_string_as_list(bectx->cdb, ctx, bectx->conf_path, + CONFDB_SIMPLE_DENY_USERS, + &ctx->deny_users); + if (ret != EOK) { + if (ret == ENOENT) { + DEBUG(9, ("Deny user list is empty.\n")); + ctx->deny_users = NULL; + } else { + DEBUG(1, ("confdb_get_string_as_list failed.\n")); + goto failed; + } + } + + if (ctx->allow_users != NULL && ctx->deny_users != NULL) { + DEBUG(1, ("Access and deny list are defined, only one is allowed.\n")); + ret = EINVAL; + goto failed; + } + + + *ops = &simple_access_ops; + *pvt_data = ctx; + + return EOK; + +failed: + talloc_free(ctx); + return ret; +} diff --git a/src/providers/simple/simple_access.h b/src/providers/simple/simple_access.h new file mode 100644 index 000000000..0aac42a5f --- /dev/null +++ b/src/providers/simple/simple_access.h @@ -0,0 +1,36 @@ +/* + SSSD + + Simple access control + + Copyright (C) Sumit Bose 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __SIMPLE_ACCESS_H__ +#define __SIMPLE_ACCESS_H__ + +#include + +#include "util/util.h" + +struct simple_ctx { + char **allow_users; + char **deny_users; +}; + +errno_t simple_access_check(struct simple_ctx *ctx, const char *username, + bool *access_granted); +#endif /* __SIMPLE_ACCESS_H__ */ -- cgit